Kibana: Review UX and text of the authentication related screens

Created on 24 Nov 2020  路  14Comments  路  Source: elastic/kibana

There are number of authentication screens we have in Kibana that are rarely seen by our users and hence we don't touch them very often too. But I believe it makes sense to periodically review them with the Design and Docs Teams to make sure the texts are still relevant and UX is consistent.

Fail states of the Login Form/Selector

  • When administrators mistakenly or not configured Kibana in a way that it doesn't allow any authentication mechanisms:

login-is-disabled

  • When administrators configured Kibana to use Secure cookies, but didn't configure Kibana to use TLS (a strict requirement in this case):

secure-connection

  • When Elasticsearch isn't available

es-connection

  • When Elasticsearch is available, but we cannot retrieve current license for some reason

no-license

  • Unexpected error during login page rendering (it should never happen in theory, if it happens it's most likely a bug in our code or some weird network glitch)

unexpected-error

Logout related messages

  • When user hits logout button and _Login Selector/Form is enabled_ (the most common use case these days)

selector-logged-out

  • When user hits logout button and _Login Selector/Form is NOT enabled_. I thought maybe it'd make sense to unify wording in this case with the case above? The only problem is that the font is larger on this screen and the message will be split into multiple lines unless we change styles.

logged-out

  • When Kibana forces user to log out because of expired session and _Login Selector/Form is enabled_

selector-session-expired

  • When Kibana forces user to log out because of expired session and _Login Selector/Form is NOT enabled_. It looks exactly the same as the case when user decides to log out on their own. Would probably make sense to change the wording here as well, but again the current font size may be a problem. I'm explicitly calling out the font size since this page/component is re-used in other cases (access agreement and overwritten session screen described below) that will be affected if we change the font size.

logged-out

Other messages

  • When user happens to automatically re-login when they already had an active session _as a different user_ (quite rare case, but it happens)

overwritten-session

SecuritAuthentication Security chore

Most helpful comment

Login error messages

Instead of "Welcome to Elastic" how about using the logo alone or the logo + elastic (as on the website)

Kibana not configured

Login is disabled (no ending period)
Contact your system administrator.

Secure connection (ok as is)

A secure connection is required for log in
Contact your system administrator.

Elasticsearch isn't available

Cannot connect to the Elasticsearch cluster
Try reloading the page. See the Kibana logs for details.

Can't retrieve the current license

Cannot connect to the Elasticsearch cluster currently configure for Kibana
To use the full set of free features in this distribution, please update Elasticsearch to the default distribution.

@alexfrancoeur How should we word the text regarding licensing?

Problem rendering login screen

Cannot render login page
Try reloading the page. See the Kibana logs for details.

Logout error messages

Selector form enabled

One of the following:

You have logged out.
You have logged out of Elastic
You have logged out. Log in again at any time.

Selector form NOT enabled

Whatever you decide above

Session time out with form enabled (ok as is)

Your session has timed out. Please log in again.

Session time out when form is NOT enabled

Your session has timed out. Please log in again.

Previously logged in as different user 1
This one is a confusing. Will the previous log in always be elastic? Can we give users the choice to log in as a different user?

You previously logged in as elastic.

Continue as elastic | Log in as a different user

Previously logged in as different user 2

Should we also consider this one screen as part of this PR?

Screen Shot 2020-11-25 at 1 30 28 PM

Suggested text:

You don't have permission to access this page

Go back to the previous page or log in as a different user.

Question: why login in as a different user and not contact your administrator to request access?

All 14 comments

Pinging @elastic/kibana-security (Team:Security)

@elastic/kibana-docs @elastic/kibana-core-ui-designers could you please review these screens and texts and let me know if you think we should change/improve anything?

I also left a couple of questions regarding unification of "logout" messages for the case with and without Login Selector.

Thanks!

Thanks for putting this together @azasypkin , so many variations that I've not seen before!

Two quick takes:

  • the copy/text feels like the area of most need
  • while I understand the reason for changing the 'Welcome to Elastic' title, we should avoid using that for system messages

As we work through the copy, we can also explore where best to put the system messages. A subtitle, for example, would be a preferable solution, and I'm certain we can come up with some other title message that does not _welcome_ people to the log out screen 馃槅

As we work through the copy, we can also explore where best to put the system messages. A subtitle, for example, would be a preferable solution, and I'm certain we can come up with some other title message that does not welcome people to the log out screen laughing

Thanks for the feedback! And I agree with everything you've just posted :slightly_smiling_face:

I'll take a look at the copy and post my comments here.

Login error messages

Instead of "Welcome to Elastic" how about using the logo alone or the logo + elastic (as on the website)

Kibana not configured

Login is disabled (no ending period)
Contact your system administrator.

Secure connection (ok as is)

A secure connection is required for log in
Contact your system administrator.

Elasticsearch isn't available

Cannot connect to the Elasticsearch cluster
Try reloading the page. See the Kibana logs for details.

Can't retrieve the current license

Cannot connect to the Elasticsearch cluster currently configure for Kibana
To use the full set of free features in this distribution, please update Elasticsearch to the default distribution.

@alexfrancoeur How should we word the text regarding licensing?

Problem rendering login screen

Cannot render login page
Try reloading the page. See the Kibana logs for details.

Logout error messages

Selector form enabled

One of the following:

You have logged out.
You have logged out of Elastic
You have logged out. Log in again at any time.

Selector form NOT enabled

Whatever you decide above

Session time out with form enabled (ok as is)

Your session has timed out. Please log in again.

Session time out when form is NOT enabled

Your session has timed out. Please log in again.

Previously logged in as different user 1
This one is a confusing. Will the previous log in always be elastic? Can we give users the choice to log in as a different user?

You previously logged in as elastic.

Continue as elastic | Log in as a different user

Previously logged in as different user 2

Should we also consider this one screen as part of this PR?

Screen Shot 2020-11-25 at 1 30 28 PM

Suggested text:

You don't have permission to access this page

Go back to the previous page or log in as a different user.

Question: why login in as a different user and not contact your administrator to request access?

This one is a confusing. Will the previous log in always be elastic? Can we give users the choice to log in as a different user?

Yeah, sorry for not being clear on this one. This screen is shown when user already automatically re-logged in as a different user. In this case user re-logged in as elastic, but it can be any username. Here we just notify user after the fact (we don't offer Log in as a different user here since it may not be possible in a number of scenarios, so we took the easiest route) .

Should we also consider this one screen as part of this PR?

Yeah, sure! It was recently added/reviewed that's why I skipped it initially, but happy to make any adjustments to this one too.

@alexfrancoeur How should we word the text regarding licensing?

@gchaps thanks for the tag and @azasypkin thanks for the detailed breakdown of each scenario. I agree, it's useful to periodically review the content in these error messages.

Here's what's currently presented.

Cannot connect to the Elasticsearch cluster currently configured for Kibana
To use the full set of free features in this distribution, please update Elasticsearch to the default distribution.

@azasypkin can you confirm two quick things. Does this error only occur when there is a license mismatch? And if so, does it only occur with OSS and Basic? Or can this occur with Basic and Gold+ as well?

Here are some quick suggestions. What do you think @gchaps? Is there any way we can reduce the text in the below suggestions?

If this error is only shown when there is a license mismatch and the license tier doesn't matter

Cannot connect to the Elasticsearch cluster currently configured for Kibana
The Elasticsearch cluster license does not match the license for Kibana, contact your system administrator

Alternatively

The Elasticsearch cluster license does not match the license for Kibana
Contact your system administrator

If the error is only shown when there is a license mismatch and this only occurs with an OSS ES cluster and a Basic+ Kibana

Cannot connect to the Elasticsearch cluster currently configured for Kibana
The Elasticsearch cluster license does not match the license for Kibana, contact your system administrator to take advantage of the full set of free features from Elastic

Alternatively

The Elasticsearch cluster license does not match the license for Kibana
Contact your system administrator to take advantage of the full set of free features from Elastic

I like the alternate version that @alexfrancoeur suggested because the title is more descriptive. Is the word "cluster" necessary after Elasticsearch? Instead can it be:

The Elasticsearch license does not match the Kibana license
Contact your system administrator.

The Elasticsearch license does not match the Kibana license
Contact your system administrator for the full set of free features from Elastic.

@azasypkin can you confirm two quick things. Does this error only occur when there is a license mismatch? And if so, does it only occur with OSS and Basic? Or can this occur with Basic and Gold+ as well?

As far as I can tell it's for the case when default distribution of Kibana tries to connect to the OSS ES and hence cannot get any license information. But I've just checked this scenario and I see that on 7.x/master Kibana doesn't start at all in this case. @kobelb do you know if we still need to support this setup somehow?

As far as I can tell it's for the case when default distribution of Kibana tries to connect to the OSS ES and hence cannot get any license information.

馃憤 I quickly checked version 7.4, and this is what happens on that version. I'm not sure which version this stopped working in, though.

But I've just checked this scenario and I see that on 7.x/master Kibana doesn't start at all in this case. @kobelb do you know if we still need to support this setup somehow?

I think we have some wiggle room here; however, I don't think the current behavior is acceptable. At a minimum, I think we should make it explicit to the user that this is the reason why Kibana is essentially inoperable. In 7.10, Kibana is crashing on startup without clearly stating why it failed to start-up. The behavior in 7.10 is likely to confuse our users and not help them remedy the situation. If we were to crash on start-up with an explicit error message, I think that'd be fine.

When we say crash, I'm guessing we don't mean this wonderfully placed error underneath the login screen 馃槃 +1 on Brandons suggestion on a more explicit error in that case. If we need to revisit this text again, I'm happy to finish iterating with Gail. The suggestions here generally work for me https://github.com/elastic/kibana/issues/84200#issuecomment-736664814

I think we have some wiggle room here; however, I don't think the current behavior is acceptable. At a minimum, I think we should make it explicit to the user that this is the reason why Kibana is essentially inoperable. In 7.10, Kibana is crashing on startup without clearly stating why it failed to start-up. The behavior in 7.10 is likely to confuse our users and not help them remedy the situation. If we were to crash on start-up with an explicit error message, I think that'd be fine.

Good, thanks for confirming! Filed the issue: https://github.com/elastic/kibana/issues/84864

Suggested text:
You don't have permission to access this page
Go back to the previous page or log in as a different user.
Question: why login in as a different user and not contact your administrator to request access?

Sorry @gchaps , somehow missed this question. I'll let @watson to comment on that, but from the technical standpoint we definitely need to give users a way to invalidate current session and start a new one using different credentials or different login method: e.g. if an admin is testing new user accounts or role mappings for their users they need a way to re-login as an administrator to tweak those role mappings in case they did something wrong. In addition to that the absolute majority of the login mechanisms we provide today require users to re-login to get the latest roles/privileges snapshot if they change after login anyway.

Proposing to contact administrator also makes sense here though and if we can propose this in addition to log in as a different user that would be ideal.

When we say crash, I'm guessing we don't mean this wonderfully placed error underneath the login screen smile

We'll see what options we have in https://github.com/elastic/kibana/issues/84864 :slightly_smiling_face:

Let's go with this. That seems like enough options to give the user.

You don't have permission to access this page
Go back to the previous page or log in as a different user.

Was this page helpful?
0 / 5 - 0 ratings